diff mbox series

[OpenWrt-Devel,procd,2/2] Allow disabling seccomp or changing the whitelist

Message ID 20180730073219.28553-2-sojkam1@fel.cvut.cz
State Accepted
Delegated to: John Crispin
Headers show
Series [OpenWrt-Devel,procd,1/2] trace: Use properly sized type for PTRACE_GETEVENTMSG | expand

Commit Message

Michal Sojka July 30, 2018, 7:32 a.m. UTC 
From: Michal Sojka <michal.sojka@cvut.cz>

Without this change, once a service is started with seccomp, it is
impossible to restart it without seccomp or change the whitelist file
name. This commit fixes that. Disabling seccomp is as easy as
commenting out the "procd_set_param seccomp" line in init.d script.

Signed-off-by: Michal Sojka <michal.sojka@cvut.cz>
---
 service/instance.c | 6 ++++++
 1 file changed, 6 insertions(+)
diff mbox series

Patch

diff --git a/service/instance.c b/service/instance.c
index 917b003..c14d348 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -637,6 +637,11 @@  instance_config_changed(struct service_instance *in, struct service_instance *in
 	if (in->respawn_timeout != in_new->respawn_timeout)
 		return true;
 
+	if ((!in->seccomp && in_new->seccomp) ||
+	    (in->seccomp && !in_new->seccomp) ||
+	    (in->seccomp && in_new->seccomp && strcmp(in->seccomp, in_new->seccomp)))
+		return true;
+
 	if (!blobmsg_list_equal(&in->limits, &in_new->limits))
 		return true;
 
@@ -957,6 +962,7 @@  instance_config_move(struct service_instance *in, struct service_instance *in_sr
 	in->respawn_timeout = in_src->respawn_timeout;
 	in->name = in_src->name;
 	in->trace = in_src->trace;
+	in->seccomp = in_src->seccomp;
 	in->node.avl.key = in_src->node.avl.key;
 
 	free(in->config);